A screenshot of an Apache Server log showing infected Macs connecting to a Flashback command and control server. The user agent strings and referrer strings showing Windows NT 6.1 machines, are set by Flashback. Intego has confirmed that the machines are, in fact, infected Macs.

The compromised Macs were observed connecting to command and control servers that had been "sinkholed—meaning taken over for research or security purposes—by analysts from security firm Intego. During a five-day period ending January 7, 22,000 Flashback-infected computers reported to server domains recently acquired by Intego, Arnaud Abbati, a researcher with the company, wrote in a blog post. Those machines could be maliciously controlled by anyone who has access to one of the many domain names programmed into a Flashback algorithm, assuming they know how the internals of the malware works.

Flashback first came to light in 2011 when it took hold of people's machines by masquerading as a legitimate installer of Adobe's ubiquitous Flash media player. By early 2012, Flashback morphed from a socially engineered threat to one that performed surreptitious drive-by attacks by exploiting vulnerabilities in Oracle's Java software framework. Flashback was among the most sophisticated pieces of malware ever to target mainstream Mac users.

Self-encryption made it tough for researchers to reverse engineer or hijack the malware. Flashback was used primarily as a "click fraud" tool that caused infected Macs to view sponsored links that had the potential to generate millions of dollars in fraudulent ad revenue. It also had the ability to do much more, including sending spam, engaging in denial-of-service attacks, or logging passwords. Ars has published articles showing how to detect and remove Flashback here and here.

One Flashback capability included the ability to periodically generate a new set of domains that infected Macs would report to. To prevent Flashback operators from losing control of their machines, the malware was programmed to check a new pseudo-randomly generated domain each day in five separate top-level domains (TLDs). In an e-mail, Abbati explained:

An infected Mac tries to contact the same domain on five TLDs (.com, .net, .info, .in, .kz) until it finds one correct bot response. To block that chain you can't just buy the .com; there is a chance the hacker will test for all TLDs and purchase and use the others for malicious activity. The process is that the server answers back the infected Mac with a secret data to prove that it is a Flashback botnet controller. After that handshake, the network packets are encrypted with the unique identifier given by the infected Mac on the first request to the C&C server. Then the server sends commands over the network to execute on the infected Mac, commands that can be: update your code with an external executable (by downloading it), execute a system command, launch a process, send local files from the infected Mac, etc. To resume, after the handshake with the secret data, the botnet server has a full control against the infected Mac.

Abbati went on to say that Apple countered the threat by reverse engineering the domain-generation algorithm and buying all of the names through the end of 2013. That prevented him or anyone else outside of Apple from monitoring the Flashback botnet. Then, at the beginning of the year, Apple briefly allowed those domain name registrations to expire failed to purchase some domain names, making it possible once again for Intego to peer into the inner workings of Flashback. Over the past few days, Apple has bought all of the 2014 domains. Abbati said that's a good thing for the safety of those who remain infected.

"With the number of computers still infected," he explained, "it’s conceivable that someone with malicious intent could also crack the algorithm, buy the domains, and use them to instruct the computers into nefarious action."

This article was updated to correct an erroneous detail in the second-to-last paragraph. The detail was provided by Intego, which notified Ars of the inaccuracy shortly after this post was published. The caption for the image has also been updated to explain why it shows Windows NT machines connecting to the control server.

How could someone else buy the domains if Apple has bought them all for the rest of the year? Is he talking about 2015 and beyond?

Apple's lease on the domains expired at the end of 2013. It now being 2014, they had to be released. Er... leased again.

This seems like a horrible way to "fix" the problem, though. Seems like with "only" 22k computers to take care of, Apple should be able to easily find out which computers those are (because they're contacting those domains) and pop up a screen saying "Hey. You're computer is infected. Fix it or you can't get back on the internet." along with instructions on how to fix it.

How could someone else buy the domains if Apple has bought them all for the rest of the year? Is he talking about 2015 and beyond?

Apple's lease on the domains expired at the end of 2013. It now being 2014, they had to be released. Er... leased again.

This seems like a horrible way to "fix" the problem, though. Seems like with "only" 22k computers to take care of, Apple should be able to easily find out which computers those are (because they're contacting those domains) and pop up a screen saying "Hey. You're computer is infected. Fix it or you can't get back on the internet." along with instructions on how to fix it.

And not let them get back on the internet until they do.

This page from Apple suggests they already tried to remove Flashback variants through an update:

Quote:

This Java security update removes the most common variants of the Flashback malware.

I'm wondering if I'm misreading that and it means it removes the vulnerability for the malware to install or possibly the removal only works on certain versions of OSX? The Wiki page on the Flashback trojan suggests that the Apple removal tool doesn't support older versions of OSX.

How could someone else buy the domains if Apple has bought them all for the rest of the year? Is he talking about 2015 and beyond?

Apple's lease on the domains expired at the end of 2013. It now being 2014, they had to be released. Er... leased again.

This seems like a horrible way to "fix" the problem, though. Seems like with "only" 22k computers to take care of, Apple should be able to easily find out which computers those are (because they're contacting those domains) and pop up a screen saying "Hey. You're computer is infected. Fix it or you can't get back on the internet." along with instructions on how to fix it.

... Apple should be able to easily find out which computers those are (because they're contacting those domains) and pop up a screen saying "Hey. You're computer is infected. Fix it or you can't get back on the internet." along with instructions on how to fix it. ...

This presumes that the computers which are infected are in some way accessible to Apple, by way of software updates or the like. If that were the case, then Apple would have already issued an update that removed the malware for the user.

If you're instead suggesting that Apple use the malware itself to distribute the fix... then in that case we would be talking about the gray area of "white-hat hacking" and that has it's on issues in terms of both feasibility and legality.

How could someone else buy the domains if Apple has bought them all for the rest of the year? Is he talking about 2015 and beyond?

Apple's lease on the domains expired at the end of 2013. It now being 2014, they had to be released. Er... leased again.

This seems like a horrible way to "fix" the problem, though. Seems like with "only" 22k computers to take care of, Apple should be able to easily find out which computers those are (because they're contacting those domains) and pop up a screen saying "Hey. You're computer is infected. Fix it or you can't get back on the internet." along with instructions on how to fix it.

And not let them get back on the internet until they do.

This page from Apple suggests they already tried to remove Flashback variants through an update:

Quote:

This Java security update removes the most common variants of the Flashback malware.

I'm wondering if I'm misreading that and it means it removes the vulnerability for the malware to install or possibly the removal only works on certain versions of OSX? The Wiki page on the Flashback trojan suggests that the Apple removal tool doesn't support older versions of OSX.

How could someone else buy the domains if Apple has bought them all for the rest of the year? Is he talking about 2015 and beyond?

Apple's lease on the domains expired at the end of 2013. It now being 2014, they had to be released. Er... leased again.

This seems like a horrible way to "fix" the problem, though. Seems like with "only" 22k computers to take care of, Apple should be able to easily find out which computers those are (because they're contacting those domains) and pop up a screen saying "Hey. You're computer is infected. Fix it or you can't get back on the internet." along with instructions on how to fix it.

And not let them get back on the internet until they do.

It's AS illegal for apple to hijack a computer as it is for someone else to do so... even if it is for their own good. Besides, a lot of the trojans work the same way, "you are infected, pay us to clean it up or else."

There are services that will sit on a name and wait for it to expire, then buy it.

It is a bit silly to require Apple to buy these domain names until the zombie apocalypse. ICANN should simply retires domains used in fraud.

While there are services there that will take them up. Usually the registrar sit on expired names for a few months to see if anyone using their domain buying services takes it up first.

So i guess that's why is back in apple's control and not gone away.

The domain names are generated by the malware and change over time. Apple had control over the domains which were used during 2013 but not over those that would be checked during 2014. Eventually, they bought that set too.

Does the Trojan allow you to run .exe's without permission? Would it be possible to set it so the websites tell the Trojan to download and run UninstallTrojan.exe?

It is OSX so they wouldn't be ".exe's" they would be a binary or an application.

I'm sure it would be possible to run the clean up the same way the exploit was ran but it seems like a very irritating way to deal with it. Especially considering many trojans would clean up so that nothing else could exploit what it exploited.

Apple has released software updates for systems running OS X Lion and Mac OS X v10.6 that will update Java to fix the security flaw, and remove the Flashback malware if it is present.

A standalone update is also available for OS X Lion that will remove the Flashback malware from systems that do not currently have Java installed.

Does Flashback target older versions of OS X, or does it strictly target Intel-era Macs? Heck, I know guys still running 10.3.9 and 10.4 on old G5 and G4s. There hasn't been a security or Java update for those machines in years.

How could someone else buy the domains if Apple has bought them all for the rest of the year? Is he talking about 2015 and beyond?

Apple's lease on the domains expired at the end of 2013. It now being 2014, they had to be released. Er... leased again.

This seems like a horrible way to "fix" the problem, though. Seems like with "only" 22k computers to take care of, Apple should be able to easily find out which computers those are (because they're contacting those domains) and pop up a screen saying "Hey. You're computer is infected. Fix it or you can't get back on the internet." along with instructions on how to fix it.

And not let them get back on the internet until they do.

This feels like the corporate worlds IT version of "short term fix"; like how when a person had their PC infected and the IT guy just simply did a factory restore. For Apple it gets them out of the loop of acknowledging an issue and issuing a notice about the need for security software. At the same level, while there is a sensible number of users aware of the security environment facing Apple, there's a scary number of people who still cling to the adage that Apple is impervious to virus and malware infections whatsoever.

Not a scientific poll by any means but 8 of 10 Apple users in my friend's circle believe that and it's never come up as a point of conversation at once.

How could someone else buy the domains if Apple has bought them all for the rest of the year? Is he talking about 2015 and beyond?

Apple's lease on the domains expired at the end of 2013. It now being 2014, they had to be released. Er... leased again.

This seems like a horrible way to "fix" the problem, though. Seems like with "only" 22k computers to take care of, Apple should be able to easily find out which computers those are (because they're contacting those domains) and pop up a screen saying "Hey. You're computer is infected. Fix it or you can't get back on the internet." along with instructions on how to fix it.

And not let them get back on the internet until they do.

This feels like the corporate worlds IT version of "short term fix"; like how when a person had their PC infected and the IT guy just simply did a factory restore. For Apple it gets them out of the loop of acknowledging an issue and issuing a notice about the need for security software. At the same level, while there is a sensible number of users aware of the security environment facing Apple, there's a scary number of people who still cling to the adage that Apple is impervious to virus and malware infections whatsoever.

Not a scientific poll by any means but 8 of 10 Apple users in my friend's circle believe that and it's never come up as a point of conversation at once.

Statistically, that’s true. Virus infections are practically nonexistent. If the largest known trojan infects 22k machines out of an installed base of 75M (.02%), I’ll settle for “impervious.”

How could someone else buy the domains if Apple has bought them all for the rest of the year? Is he talking about 2015 and beyond?

Apple's lease on the domains expired at the end of 2013. It now being 2014, they had to be released. Er... leased again.

This seems like a horrible way to "fix" the problem, though. Seems like with "only" 22k computers to take care of, Apple should be able to easily find out which computers those are (because they're contacting those domains) and pop up a screen saying "Hey. You're computer is infected. Fix it or you can't get back on the internet." along with instructions on how to fix it.

And not let them get back on the internet until they do.

Think about what you just said and then consider what would happen if you got an out of the blue message on your computer? I think you wouldn't be so cheeky. I think you'd be be in a rage. Now that would be funny.

How could someone else buy the domains if Apple has bought them all for the rest of the year? Is he talking about 2015 and beyond?

Apple's lease on the domains expired at the end of 2013. It now being 2014, they had to be released. Er... leased again.

This seems like a horrible way to "fix" the problem, though. Seems like with "only" 22k computers to take care of, Apple should be able to easily find out which computers those are (because they're contacting those domains) and pop up a screen saying "Hey. You're computer is infected. Fix it or you can't get back on the internet." along with instructions on how to fix it.

And not let them get back on the internet until they do.

This feels like the corporate worlds IT version of "short term fix"; like how when a person had their PC infected and the IT guy just simply did a factory restore. For Apple it gets them out of the loop of acknowledging an issue and issuing a notice about the need for security software. At the same level, while there is a sensible number of users aware of the security environment facing Apple, there's a scary number of people who still cling to the adage that Apple is impervious to virus and malware infections whatsoever.

Not a scientific poll by any means but 8 of 10 Apple users in my friend's circle believe that and it's never come up as a point of conversation at once.

Statistically, that’s true. Virus infections are practically nonexistent. If the largest known trojan infects 22k machines out of an installed base of 75M (.02%), I’ll settle for “impervious.”

Except at it's peak the number was about 600,000, and the install base was about 60M at the time, so more like 1%.

Does the Trojan allow you to run .exe's without permission? Would it be possible to set it so the websites tell the Trojan to download and run UninstallTrojan.exe?

It is OSX so they wouldn't be ".exe's" they would be a binary or an application.

I'm sure it would be possible to run the clean up the same way the exploit was ran but it seems like a very irritating way to deal with it. Especially considering many trojans would clean up so that nothing else could exploit what it exploited.

Thanks for both parts of that answer. Last time I did anything with Apple was an attempt to install iTunes on a friends Vista laptop around '09 so I didn't know Apple doesn't use .exe files.

How could someone else buy the domains if Apple has bought them all for the rest of the year? Is he talking about 2015 and beyond?

Apple's lease on the domains expired at the end of 2013. It now being 2014, they had to be released. Er... leased again.

This seems like a horrible way to "fix" the problem, though. Seems like with "only" 22k computers to take care of, Apple should be able to easily find out which computers those are (because they're contacting those domains) and pop up a screen saying "Hey. You're computer is infected. Fix it or you can't get back on the internet." along with instructions on how to fix it.

And not let them get back on the internet until they do.

This page from Apple suggests they already tried to remove Flashback variants through an update:

Quote:

This Java security update removes the most common variants of the Flashback malware.

I'm wondering if I'm misreading that and it means it removes the vulnerability for the malware to install or possibly the removal only works on certain versions of OSX? The Wiki page on the Flashback trojan suggests that the Apple removal tool doesn't support older versions of OSX.

It requires OS X 10.6.8. or later for the automatic detection and removal. I fixed a friend's MacBook Pro that was running the original OS X 10.6.3. Many people ignore the Software Update requests. Once the update was complete and it rebooted, it immediately detected and removed the Flashback malware that was infecting the Mac. I had no idea it was infected until I ran Software Update to bring it up to 10.6.8.

Can you clarify what you mean by stating that flashback is "still infecting 22,000 Macs". Taking this statement at its word seems to communicate that these are new infections. After reading the body of the article, I am inclined to believe that these are simply residual infections from the initial run over a year ago that were never cleaned up and are continuing to communicate to their herders.

Can you clarify what you mean by stating that flashback is "still infecting 22,000 Macs". Taking this statement at its word seems to communicate that these are new infections. After reading the body of the article, I am inclined to believe that these are simply residual infections from the initial run over a year ago that were never cleaned up and are continuing to communicate to their herders.

I have no sympathy for the 22,000 people that readily have a free update to fix the problem and do not. That is on them. This isn't news ARS, move on. This is like reporting about a grain of sand on a beach full of sand.

How could someone else buy the domains if Apple has bought them all for the rest of the year? Is he talking about 2015 and beyond?

Apple's lease on the domains expired at the end of 2013. It now being 2014, they had to be released. Er... leased again.

This seems like a horrible way to "fix" the problem, though. Seems like with "only" 22k computers to take care of, Apple should be able to easily find out which computers those are (because they're contacting those domains) and pop up a screen saying "Hey. You're computer is infected. Fix it or you can't get back on the internet." along with instructions on how to fix it.

And not let them get back on the internet until they do.

Yeah, maybe it's time to dictate that once you get a lease on a domain name, it's yours forever.

Second, why aren't they contacting the people who are running these computers and telling them "You know, your computer has been pwn'd!"

How could someone else buy the domains if Apple has bought them all for the rest of the year? Is he talking about 2015 and beyond?

Apple's lease on the domains expired at the end of 2013. It now being 2014, they had to be released. Er... leased again.

This seems like a horrible way to "fix" the problem, though. Seems like with "only" 22k computers to take care of, Apple should be able to easily find out which computers those are (because they're contacting those domains) and pop up a screen saying "Hey. You're computer is infected. Fix it or you can't get back on the internet." along with instructions on how to fix it.

And not let them get back on the internet until they do.

Yeah, maybe it's time to dictate that once you get a lease on a domain name, it's yours forever.

Second, why aren't they contacting the people who are running these computers and telling them "You know, your computer has been pwn'd!"

If they do as others have suggested and send a notification that they are running an infected machine and prompt them to remove the infection there are to problems: A)It's a legal grey area as that in itself could be considered hacking, and B)It will almost certainly just lead to a bunch of ransomware that pretends to be Apple's yougotpwn'd software.

How could someone else buy the domains if Apple has bought them all for the rest of the year? Is he talking about 2015 and beyond?

Apple's lease on the domains expired at the end of 2013. It now being 2014, they had to be released. Er... leased again.

This seems like a horrible way to "fix" the problem, though. Seems like with "only" 22k computers to take care of, Apple should be able to easily find out which computers those are (because they're contacting those domains) and pop up a screen saying "Hey. You're computer is infected. Fix it or you can't get back on the internet." along with instructions on how to fix it.

And not let them get back on the internet until they do.

Yeah, maybe it's time to dictate that once you get a lease on a domain name, it's yours forever.

Second, why aren't they contacting the people who are running these computers and telling them "You know, your computer has been pwn'd!"

If they do as others have suggested and send a notification that they are running an infected machine and prompt them to remove the infection there are to problems: A)It's a legal grey area as that in itself could be considered hacking, and B)It will almost certainly just lead to a bunch of ransomware that pretends to be Apple's yougotpwn'd software.

They can contact the ISP's and tell them "You know, the person at X address is running an infected machine!"

Listening for connections to malware is not the same thing as hacking, the courts have already pointed that out to the benefit of security companies.

...personally I rather have the OS vendor provide detection, removal, etc. tools in the OS itself making the more automatic, etc. rather then me having to go hunt for a 3rd party tool. I prefer MS tools for this type of things compare 3rd parties as well on the windows side of things.

Apple has released software updates for systems running OS X Lion and Mac OS X v10.6 that will update Java to fix the security flaw, and remove the Flashback malware if it is present.

A standalone update is also available for OS X Lion that will remove the Flashback malware from systems that do not currently have Java installed.

Does Flashback target older versions of OS X, or does it strictly target Intel-era Macs? Heck, I know guys still running 10.3.9 and 10.4 on old G5 and G4s. There hasn't been a security or Java update for those machines in years.

Hey, ... I have an old duel 450 g5 tower running 10.4 24/7/364 in my garage ... Has been for ...? Maybe a decade? ... Pretty sure i ripped java out of it years ago, .. It Was always notoriously crap on macs anyway. Sorry ...but, Should I be worried about something?